#!/usr/bin/env bash
PATH=/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin:~/bin
export PATH

while true
do
	read -e -p "输入公网IP：" CommonName
	read -e -p "输入域名：" domain
	echo -e "你输入的IP是：${CommonName}"
	echo -e "你输入的域名：${domain}"
	read -e -p "是否确认(Y/y)：" un
	if [[ ${un} == [Yy] ]]; then
		break
	fi
done

function set_openssl_cnf(){
     cat >openssl.cnf <<-EOF
[req]
distinguished_name = req_distinguished_name
req_extensions = v3_req


[req_distinguished_name]
countryName = Country Name (2 letter code)
countryName_default = CN
stateOrProvinceName = State or Province Name (full name)
stateOrProvinceName_default = Shanghai
localityName = Locality Name (eg, city)
localityName_default = Shanghai
organizationName            = Organization Name (eg, company)
organizationName_default    = xiyin organization
organizationalUnitName  = Organizational Unit Name (eg, section)
organizationalUnitName_default  = xiyin
commonName = Common Name (e.g. server FQDN or YOUR name)
commonName_max  = 64
commonName_default = localhost

[v3_req]
# Extensions to add to a certificate request
basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
#keyUsage = tlswebclientauthentication, tlswebserverauthentication
subjectAltName = @alt_names



[v3_ca]
# Extensions for a typical CA
# PKIX recommendation.
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid:always,issuer
# This is what PKIX recommends but some broken software chokes on critical
# extensions.
#basicConstraints = critical,CA:true
# So we do this instead.
#CA:true表示此证书为可签发下级证书的CA
basicConstraints = critical,CA:true
keyUsage = critical, cRLSign, digitalSignature, keyCertSign



[alt_names]
IP.1 = ${CommonName}
IP.2  = 127.0.0.1
DNS.1 = ${domain}
DNS.2 = xxx.cn

	EOF
}


function generate_rootCA(){
	#1.CA证书
	#生成根证书私钥 ca.key
	openssl genrsa -out ca.key 4096
	#生成根证书请求 ca.csr
	openssl req -new -key  ca.key -out ca.csr -subj "/C=CN/ST=Shanghai/L=Shanghai/O=mkcert development CA/OU=root@iZbp1g7t7ruv0ti4hvsuueZ/CN=mkcert root@iZbp1g7t7ruv0ti4hvsuueZ"

	#查看根证书请求
	openssl req -text -in ca.csr -noout
	#自签发根证书
	openssl x509 -req -days 3650  -extfile openssl.cnf -extensions v3_ca -signkey ca.key -in ca.csr -out ca.crt
	#查看根证书
	openssl x509 -text -noout -in ca.crt




	#服务端证书
	#生成server私钥：server.key
	openssl genrsa -out server.key 4096

	# 生成server.csr请求文件
	openssl req -new -key server.key -out server.csr -subj "/C=CN/ST=Shanghai/L=Shanghai/O=xiyin organization/OU=xiyin"

	#查看请求文件server.csr内容（将会看到X509v3 Subject Alternative Name: IP Address:120.26.124.26, IP Address:127.0.0.1, DNS:xxx.com, DNS:xxx.cn Signature Algorithm: sha256WithRSAEncryption）
	openssl req -text -noout -in server.csr

	#生成证书：
	#使用根证书签发请求文件server.csr生成证书server.crt
	openssl x509 -req -days 3650 -extfile openssl.cnf -extensions v3_req  -CA ca.crt -CAkey ca.key -CAcreateserial -in server.csr -out server.crt
	#-CA——CA证书的路径，即前面生成的根证书
	#-CAkey——指定CA证书的私钥路径，需要使用根证书相关的私钥。
	#-extfile 指定扩展配置文件
	#-extensions  v3_req——按照openssl.cnf文件中配置的v3_req项添加扩展
	#-CAserial——指定证书序列号文件的路径
	#-CAcreateserial——表示证书序列号文件指定的文件并非已经存在，而由命令去创建。


	#查看证书
	openssl x509 -text -noout -in server.crt
	##用根证书验证server证书
	openssl verify -CAfile ca.crt  server.crt

} 

mkdir -p ca;cd ca
set_openssl_cnf
generate_rootCA

